How to Identify Phishing Emails

You sign in to your work email and see you have an email from a colleague. 

The message says they sent over some documents for you to review. 

But you weren’t expecting any documents from them. 

You open the attachments to view the documents because the sender’s name is someone you work with. 

Every day, employees receive emails to their work inboxes. And every day, hackers look for ways to get into the systems of businesses. It may seem like common sense, but remaining vigilant is key to preventing attacks from hackers. 

Being aware of and responsive to email phishing can benefit you and your business. 

Take a look at how email phishing can cause problems and ways to prevent falling victim to it. 

What Is Phishing?

A hacker typically uses a method known as phishing to invade your computer systems. Phishing campaigns can take different forms, but the goal is to get access to sensitive information using social engineering. According to the Federal Trade Commission:

“Phishing is a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source – an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying information. Then a scammer uses the information to open new accounts or invade the consumer’s existing accounts.”

A data study from Verizon showed that 36% of breaches involved phishing. And, your small or mid-sized business is not immune to phishing attempts. 

One study showed that 43% of all data breaches occur in small and medium-sized businesses. That’s nearly half of all data breaches! It’s no wonder why cybersecurity is one of the biggest workplace trends that’s here to stay. 

Ways to Identify Phishing Emails (+ Examples)

There are many types of email phishing attacks, but the three you may encounter most often are:

• Fraud phishing
• Malware
• Link manipulation/fake websites

In each of these examples, be sure to look for things such as:

• Bad grammar
• A generic greeting (e.g., Sir or Madam)
• The email signature
• Hyperlinks 

1. Fraud Phishing

Think of all the email addresses your company has. Then, consider how many email addresses your friends and family members have. Cybercriminals will use email account addresses you think you can trust in fraud phishing. In this type of email phishing, the hacker uses a spoofed account or email address very similar to a real company address. 

For example, your company may have a general IT department email. The real email address is IT@company.com. But, the hacker uses IT@cornpany.com. The ‘m’ in ‘company’ is replaced with ‘r’ and ‘n’ to hide that the email address domain name is incorrect. 

Often, attackers use these phishing email attempts to seem legitimate so the recipient will follow their instructions. And, they give a sense of urgency so you don’t think before you click. They may ask you to send or transfer funds, update employee information, send your own personal information, or follow a link.

If you do an electronic funds transfer, reply to the email, or follow the link, your email system (and potentially the entire company’s server!) are at risk. The attackers can access sensitive information like bank account numbers, login credentials, Social Security numbers, and more. 

Heads up! Fraud phishers commonly impersonate the IRS. Keep in mind that the IRS will never contact you via email, text, or social media. Check out the IRS website for more information on IRS phishing attempts.

2. Malware

Malware often ties in with fraud phishing—but not always. It can come in your email as an attachment, on a link, as a GIF, or as an embedded video. Clicking any of the items in the email allows the malicious software (aka malware) to download onto your device. 

Once the malware downloads, it can wreak havoc on not only your computer but also the entire server, client, or computer network. What malware does depends entirely on the software program. 

The types of malware you may receive in an email include:

• Virus: Program designed to infect other programs or files
• Worm: A self-replicating program that does not have a host program. Does not need to interact with the developer of the malware
• Trojan horse: Looks like a legitimate program and infects the system once installed and activated
• Spyware: Malicious program designed to collect information on the user and the device without the user knowing
• Ransomware: Software that encrypts a user’s data so hackers can demand ransom payments in exchange for decrypting the information
• Keylogger: Monitors the systems of the computer and tracks everything a user does (e.g., keystrokes, emails, web pages opened, etc.)

3. Link Manipulation/Fake Websites

Do you have a video streaming service? What about online banking? When it comes to link manipulation, hackers create fake website addresses designed to look like real sites so you’ll click the link. That link sends you to a realistic but fake website designed to look like the real link. 

With fake websites, the premise is the same. But, cyber criminals often try to send you an email that instructs you to go to a specific page of the website, like the login page. The link is subtly different from the real site’s URL. Once on the page, the fake website steals your account information when you try to log into your account. 

Measures to Take to Protect Your Business

So, how do you prevent phishing from happening? Unfortunately, you can’t. But, you can take measures to protect your business. 

First, ensure that everyone in the company is aware of phishing and what to look out for, including:

• Email addresses
• URLs to links
• Suspicious or strange email attachments

Notify your team to forward any suspicious emails to your IT department for further investigation. (Tip: employees can check hyperlinks by hovering their cursor over their link before they click!)

Consider using two-factor authentication (aka multi-factor authentication), too. This helps verify that the person logging into the account is who they say they are. You can use your phone number (typically, a mobile phone) or email as methods for two-step verification.

Prevent and avoid phishing scams by:

• Protecting personal data on social networks
• Setting up spam filters on email accounts (e.g., Gmail)
• Using password-protected WiFi connections and IP addresses
• Creating new passwords for all accounts
• Selecting strong security questions for all accounts
• Using strong passwords
• Creating unique passwords for every account
• Installing anti-malware programs (or other security programs) on your computer or web browser

Above all, mistakes can still happen. If you or someone in your company falls for a phishing hack, take steps to resolve the problem. It’s always a good idea to run anti-malware programs if you suspect a data breach, too. 

Email Phishing? Stop It in Its Tracks

Email phishing and hacks are common in the digital age. But, that doesn’t mean you have to sit back and let it happen to you and your business. Be on the lookout for the most common types of phishing attempts, and pay attention to all the ways you can help prevent them. 

To learn more about email phishing and other types of phishing, check out the Federal Trade Commission’s website. Or, contact a member of your IT department or another IT professional. 

Jena Kosinski is a Content Writer for Patriot Software, LLC. Patriot offers online accounting software and payroll for business owners and their accountants. At Patriot, Jena enjoys creating useful and informative content.